Onavo allows users to create a virtual private network that
redirects internet traffic to a private server managed by
Facebook. The app, which bills itself as a way to “keep you and
your data safe,” also alerts users when they visit potentially
malicious sites. Facebook is able to collect and analyze Onavo
users’ activity to get a picture of how people use their phones
beyond Facebook’s apps.

Earlier this month, Apple officials informed Facebook that the app
violated new rules outlined in June designed to limit data
collection by app developers, the person familiar with the
situation said. Apple informed Facebook that Onavo also violated a
part of its developer agreement that prevents apps from using data
in ways that go beyond what is directly relevant to the app or to
provide advertising, the person added.

Here is the money line from Onavo’s terms of service:

To provide this layer of protection, Onavo uses a VPN to establish
a secure connection to direct all of your network communications
through Onavo’s servers. As part of this process, Onavo collects
your mobile data traffic. This helps us improve and operate the
Onavo service by analyzing your use of websites, apps and data.
Because we’re part of Facebook, we also use this info to improve
Facebook products and services, gain insights into the products
and services people value, and build better experiences.

In other words, while you’re using Onavo, Facebook collects everything you do on the Internet — not just on the web but within apps too. As I wrote back in February, it’s spyware, pure and simple. I’m glad Apple cracked down on this, but it shouldn’t have taken until August.